GDPR

GDPR section covers a number of topics:

All these components are mandatory and will also be part of the  GDPR Assessment

In the overview of Stakeholder & Legal requirements you have probably added a more then once GDPR in relation to your stakeholders. ISO27001 requires you to address all the above topics

Please open again your Data Classification Section : for every data source, you will need to ask the question if this data source contains Personal Data  Wiki Data Classification  For more information on definition what is Personal Data under GDPR. Please check Personal data.

It is possible that you can define multiple Legal Basis for 1 data source.

We advise you, when adding a legal basis, that you will add the name of the data source yourself. 
By making use of the “+Add new Field ” feature and add a “Text Field” and name the box Data Source.

In this way you have made a cross link between data classification and Legal Basis. 

Please find below more information about the legal base choices. 

  1. Consent: The data subject has freely given consent for their information to be processed for a specific purpose. Tacit consent is not enough. You must be able to demonstrate that you have received valid permission from people to process their personal data. Withdrawing consent should be as easy as giving it. You must also inform the author of this right. After withdrawing the consent, you must stop processing the relevant data. You cannot then use any other basis to process the data. 
  2. Execution of an agreement : You may process Personal Data for the execution of an agreement. For example, recording name and address details to be able to deliver an ordered product to your customer’s home. This data may only be used for that purpose. You may not use this information later to send your customer a newsletter. You need permission again for this.
  3. Legal obligation:  Sometimes you have to record personal data to comply with a legal obligation. An employer must record the personal data of employees and pass it on to, for example, the Tax and Customs Administration. Without the employee’s permission, the data may not be passed on to an organization for which there is no legal obligation. Again permission is required.
  4. Vital interest: In emergencies, when it comes to health or danger to life, the processing of personal data by care providers may be justified. This basis can only be used if it is really not possible to obtain permission. 
  5. General interest : You may process personal data under this basis if it concerns another legal provision in which the purpose of the processing is also described.
  6. Legitimate interest: Personal data may be processed to represent a legitimate interest. The “legitimate interest” does not apply if the rights of the persons concerned outweigh. It may be a legitimate interest if there is a relevant and appropriate relationship between an organization and its customers. A legitimate interest may include processing login names and passwords for network security. The organization must be open about its legitimate interest. Data subjects can object to the processing of personal data on the grounds of legitimate interest 

When you have chosen your legal basis you will need to add:

  • If you are Data Controller or Data Processor. High level rule: if you are B2B, you are data processor, as your customer will decide what the purpose of your product is. In some cases you can be both. 
  • Add the country that you collect the data and the Data Protection Authority 
  • https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm use this link for total overview all all data Protection Authorities in Europe.  


User Documentation
: Overview of all documentation for Users  

Use this section to store our lates versions of End-User documentation and keep track of versioning. End-User are consumers – the target subjects of the GDPR. There are a number of End-User Documentation:

  • Internal Privacy Policy – specific for your internal organization (team members)
  • External Privacy Policy – specific privacy rules for the End-users making use of your product/service
  • Cookie Policy – mandatory if you have a Website – explanation about cookies and the reason for use (remember you always will use a minimum set of cookies)
  • Terms of Use – specific service rules for the End-user while making use of your product/service

Depending on your product/service you will have end-user documentation in place. 

Checklist for your external privacy policy, topics to address:

  • your company details
  • the purpose of the data capture and legal basis
  • what data you collect
  • to whom you may pass on the data
  • how long you keep the data
  • the security you have applied to the recorded personal data
  • the right to inspect, correct, delete, and transfer your own data (data portability)
  • the right to withdraw consent
  • the right to file a complaint
  • address how you ask for Consent

Review on a yearly base is needed – add your document and on a yearly base you will review and add small content on the changes made. C-level approvals can be added as evidence. 

User GDPR Right Requests : Your register to keep track of End-Users requests eg data deletion 

Data rights requests are requests from end-users to make use of one of the GDPR rights: withdraw consent, inspect, correct, delete, and transfer the data (data portability). If you have a B2B product, you will probably not be responsible for the registration of the data rights requests – and your customer wants to stay in charge of that.

However prepare yourself for the request – of your customer – if you will need to execute these rights. You will need to setup an End-user Data Rights Request Procedure – template in the Documentation Kit. This will also be part of the MSA (Master Service Agreement) that you will sign with your customers. The Procedure can be added in this section Procedure/Info. 

In any case, if you will receive a request from an End-User of your product/service – this is the section where you register them and add evidence for it – in case the Data Protection Authority will file a request for information. 

What to register:

  • Request from (name of the End-User)
  • Project (or customer)
  • Request Date
  • The GDPR Right type (drop down list)
  • Closed in progress (to remind you)
  • End date (fill in when you close)
  • Link to tech job (link to ticket of TechTeam, with evidence of eg deletion)
  • Make use of extra fields if needed (add evidence)

Data Breaches : Your overview of all data breaches 

First you will need to start with defining your Data Breach Procedure – template in Documentation Template Kit. Once finalized – add to this section in Procedure/Info part. 

Be careful with classifying an event as a data breach; especially in conversations with clients and team members. Make sure that for all team members it is clear that only the Data Protection Officer (DPO) can classify an event as a data breach. There are strict rules on the definition of Data Breaches – please check link below for Dutch Data Protection Authority (or use the once from other EU countries). https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/policy_rules_data_breach_notification_obligation.pdf 

Once that is being done – the timing for 72 hours reporting to Data Protection Authorities will need to be done. In your SLA or T&C with your customer(s) the timing for communicating data breaches is described. 

It is important that for your team – who are in charge of monitoring systems, support tickets – it is clearly defined what is an event, what is an incident and what is a data breach. C-level will always need to be notified in case of data breach, because this can have serious impact on the business and external communication will need to be involved. 

In the template Data Breach Procedure, you can find steps to follow in case of data breach. 

Per data breach you will document the the process and the DPO is responsible for this. Make sure the improvements defined are also translated in actual Improvements.

Data breaches belong to the overview of Security Metrics so they will be discussed and followed up by ISMS Team during security meetings. 

DPA Overview : Your overview of all Data Process Agreements with (customers, suppliers etc.) 

In Compleye Online we do not store signed contracts between your organization and other stakeholders, the exception are the DPA’s – Data Process Agreements. As they contain no other confidential information other then data protection rules agreed upon. 

We advise in your DPA always to mention that when commercial contract expires, the DPA also will expire, so that you will not have to keep track of end dates for the DPA. 

For a small sized B2B companies the DPA can also be part of a commercial contract (MSA/SLA) and therefore not needed to be added to this section. In case there are special agreements made between you and your customer, you will either adopt extra security or privacy activities as your own, or mention them in Global Impact section. 

If you do sign separate DPAs with your customers, partners and/or suppliers. you can file them here and keep track of special articles – or keep track of closing dates of these contracts (by added extra fields). 

Make sure that the template is part of your Contracts Overview 

Type of DPA : you can add the name of the template (eg supplier, partner, customer)
Contract Party : name of other company
Remarks : add eg content that is not part of template – additional agreements
Date Signed : closing date
And add the actual DPA as evidence
Use extra fields if needed, if you want to keep track of additional information. 

FieldValue / DescriptionExample
Legal BasisSelect from the drop down menu the legal basis that you apply to your organisation consent
RoleSelect a button field – If you are Data Controller, Data Processor or both. High level rule: if you are B2B, you are data processor, as your customer will decide what the purpose of your product is. In some cases you can be both. data controller
Country of data collection free text field – write name of the countrythe Netherlands
Data Protection Authority free text field Dutch Data Protection Authority

User Documentation – Add new

FieldValue / DescriptionExample
Type of End User DocumentSelect from the drop down menu the type of end user document you would like to listInternal Privacy Policy
Languagesfree text field – in which languages is the documentation publishedDutch, English
Remarksfree text field – any additional notesnone

User GDPR Rights Request – Add new

FieldValue / DescriptionExample
Request fromfree text field – from which party/customer/supplier is the request coming from supplier
Projectfree text field – area of business the request is coming from SuperCool Fremium 2022
Request datecalendar – select the date the request came in1st of February 2022
Statusselect the button – request is in progress or closedclosed
End Datecalendar – select the date the request was closed2nd of February 2022
Link to tech jobfree text field to paste the link related to the request 

Data Breaches – Add new

FieldValue / DescriptionExample
Data breach descriptionfree text fieldHacker attack 
Datecalendar – select the date that the breach incident took place 3rd of May 2020
Data breach report linkfree text field – add the link 
+ upload a document
 
How it was handledfree text fieldwithin 18 hours evaluation with customer, within 72 hours reported to authorities
Improvements madefree text fieldautomated monitor procedure
Statusselect the button – data breach handling is in progress or closedin progress

DPA Overview – Add new

FieldValue / DescriptionExample
Typefree text field – you can add the name of the template (eg supplier, partner, customer)Supplier DPA
Contract party free text field – name of other company Blowaway
Remarksfree text field – add eg content that is not part of the template – additional agreement for exampleUsed our own template
Date signedcalendar – select the date of the closing date11th July 2021
DPA documents add the actual DPA as evidence 
Use additional field if needed  

Was this article helpful?
4.5 out of 5 stars

1 rating

5 Stars 0%
4 Stars 100%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.